test: add a test to check for nested virtualization

Check that nested virtualization is disabled in all our CPU templates.

Other tests already check for CPU features explicitly, but this test
just checks that virtualization is not available to the guest, however
the means.

Signed-off-by: Pablo Barbáchano <[email protected]>

Author: pb8o

tests/conftest.py

@@ -293,6 +293,18 @@ def custom_cpu_template(request, record_property):
     return request.param
 
 
+@pytest.fixture(
+    params=list(static_cpu_templates_params()) + list(custom_cpu_templates_params())
+)
+def cpu_template_any(request, record_property):
+    """This fixture combines static and custom CPU templates"""
+    if "name" in request.param:
+        record_property("custom_cpu_template", request.param["name"])
+    else:
+        record_property("static_cpu_template", request.param)
+    return request.param
+
+
 @pytest.fixture(params=["Sync", "Async"])
 def io_engine(request):
     """All supported io_engines"""

tests/integration_tests/security/test_nv.py

@@ -0,0 +1,48 @@
+# Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+"""Tests ensuring nested virtualization is not present when using CPU templates.
+
+We have tests that ensure CPU templates provide a consistent set of features in
+the guest:
+
+- file:../functional/test_cpu_features.py
+- file:../functional/test_feat_parity.py
+- Commit: 681e781f999e3390b6d46422a3c7b1a7e36e1b24
+
+These already include the absence of VMX/SVM in the guest.
+
+This test is a safety-net to make the test explicit and catch cases where we
+start providing the feature by mistake.
+"""
+
+import pytest
+
+
+@pytest.fixture
+def uvm_with_cpu_template(
+    microvm_factory, guest_kernel, rootfs_ubuntu_22, cpu_template_any
+):
+    """A microvm fixture parametrized with all possible templates"""
+    vm = microvm_factory.build(guest_kernel, rootfs_ubuntu_22)
+    vm.spawn()
+    cpu_template = None
+    if isinstance(cpu_template_any, str):
+        cpu_template = cpu_template_any
+    vm.basic_config(cpu_template=cpu_template)
+    if cpu_template is None:
+        vm.api.cpu_config.put(**cpu_template_any["template"])
+    vm.add_net_iface()
+    vm.start()
+    yield vm
+
+
+def test_no_nv_when_using_cpu_templates(uvm_with_cpu_template):
+    """
+    Double-check that guests using CPU templates don't have Nested Virtualization
+    enabled.
+    """
+
+    vm = uvm_with_cpu_template
+    rc, _, _ = vm.ssh.run("[ ! -e /dev/kvm ]")
+    assert rc == 0, "/dev/kvm exists"